In two influential articles in June 2016, immediately following the Crowdstrike announcement, SecureWorks (June 16 here and June 26 here) purported to connect the DNC hack to a 2015-6 phishing campaign which they attributed to APT28. SecureWorks identified two malicious domains in their article. In today’s article, I’ll show that infrastructure from one domain are connected to domains identified as APT28 in early literature, while infrastructure from the other domain leads in an unexpected direction.
SecureWorks Phishing Examples
SecureWorks showed two examples of phishing emails in their June 26, 2016 article, both taken from 2015. A distinctive feature of this phishing campaign was the use of bitly links to further camouflage the typosquatting domain.
accoounts-google.com
Their first example was taken from phishtank.com incident reports 3160712 and 3160715, the first asking about a bitly link and the second from the expanded phrase which linked to accoounts-google.com, a malicious typosquatting domain.
The full syntax of the expressions is not shown in the SecureWorks figures, but, for completeness, is shown below. First, here is the expansion of Bitly 1PXQ8zP+ (presently marked by Bitly as malicious) and the full expression in phishtank.com incident 316-715:
The malicious address contained a webpage exactly emulating a Gmail log-in page at which the target would be invited to enter credentials, after which he would be transferred to his actual login page. Meanwhile, his emails would be harvested by the hackers more or less immediately without him knowing.
Phishtank incidents 3160712 and 3160715 were submitted by user aksana (metadata chopped off in the SecureWorks figure), who was, by coincidence or not, involved with InformNapalm, a Ukrainian hacking group followed by Dmitri Alperovitch of Crowdstrike.
googlesetting.com
Their second example used a different typosquatting domain (url.googlesetting.com) but otherwise nearly identical syntax to the unpacked Bitly expression shown above (url/continue=*&df=*&tel=1)
In this case, the first parameter in the expression (YZGlmZ…) is the unencrypted base64 expression for the gmail address of an attache in the Embassy of Italy in Australia.
Registrant Email Addresses
googlesetting.com
SecureWorks didn’t discuss how it attributed the SW-2015 phishing campaign to APT28. However, there is an obvious connection via registrant email for googlesetting.com, of which url.googlesetting.com is a subdomain. Its registrant, andre_roy@mail.com, is also registrant for numerous domains in the October 2014 PWC inventory of APT28 domains. This is nicely shown in the ThreatCrowd connections graph for url.googlesetting.com, shown below. The two domains, registrant email address are highlighted, as well as two IP addresses (58.158.177.102 and 37.221.165.244), which, for now, are Easter eggs. All the domains linked to andre_roy were previously identified as APT28. Seems pretty convincing.accoounts-google.com
However, registrant and registrant email address for the other phishing domain accoounts-google.com leads in a different and unexpected direction. A standard Whois lookup for at whois.icann.org yielded registrant Gennadiy Borisov in Varna, Bulgaria, together with registrant email of yingw90@yahoo.com, screenshot reproduced below.
In the prior post on the Lurk Banking Gang, Gennadiy Borisov and yingw90@yahoo.com were registrar and registrant email of dozens, if not hundreds, of crimeware domains associated with the Angler exploit kit. (This unexpected appearance of yingw90 is the “Easter egg” promised in the preceding post).
In other words, one of the domains (accoounts-google.com) in the SW-2015 phishing campaign appears to connect just as strongly (registrar and registrant email) to the Angler malware group as the other domain (url.googlesetting.com) connects to the APT28 malware group.
Discussion
APT28 (Fancy Bear) is characterized in computer security literature as a presumed unique hacking group which uses characteristic malware: Sofacy, Chopstick and Eviltoss (or variations thereof, with names varying in the literature). It is characterized by resourcefulness and ingenuity in developing zero-day exploits to deliver the malware. It is usually said to be narrowly focused on defence and government sectors. Two of its most popular delivery methods are a malicious attachment to a document delivered by email or a link to a malicious page of topical interest which downloads malware in the background.
On the other hand, phishing (and credential theft through phishing) is one of the most common and commonplace forms of cybercrime and difficult to attribute. In late 2014, Google researchers examined thousands of phishing incidents, observing that credential theft was used to “send spam, to tap into the social connections of victims to compromise additional accounts or alternatively liquidate a victim’s financial assets”. They reported that “phishing requests target victims’ email (35%) and banking institutions (21%) accounts, as well as their app stores and social networking credentials”. In the hijacking cases that they analyzed, they found that “most of the hijackers appear to originate from five main countries: China, Ivory Coast, Malaysia, Nigeria, and South Africa”. In late 2014, a computer security analyst, commenting on the Google article, showed examples of typical gmail phishing emails and webpages, noting that they had seen “400+ Google-related phishing URLs” in the previous week:
These just a few examples of the “look and feel” of some of the 400+ Google-related phishing URLs we’ve seen in the past seven days at Malcovery security. Most of them were seen many times each!
The phishing webpages in the 2015-2016 phishing campaign of interest to SecureWorks (the “SW Phishing Campaign”) were no better and no worse than others in the genre.
To my knowledge, there have been no reports of installation of distinctive APT28 malware on the targets of the 2015-2016 phishing campaign studied by SecureWorks (the “SW Campaign” for short). Instead, it was an entirely commonplace attempt to steal credentials, indistinguishable in structure from thousands of similar attempts to steal email, banking and other credentials. It specifically targeted Gmail credentials, which together with Yahoo and Microsoft credentials, are the most popular forms of credential theft. Such campaigns frequently use domain names which “spoof” or “typosquat” the legitimate names – there is nothing distinctive to APT28 or even Russia in that technique. It could be Nigerian or American, just as easily.
Attribution of the phishing campaign to APT28 was therefore done on the basis of infrastructure connections. But while there is an infrastructure association to APT28 but there is also an association to a prominent crimeware gang.
From this, I’m beginning to question how “APT28” is defined and attributed. On the one hand, one sees incidents in which Sofacy and Coreshell/X-Agent are dropped into computers using sophisticated zero-day exploits – these seem useful attributions. On the other hand, one sees incidents of commonplace credential phishing without accompanying Socacy, Coreshell malware, which are attributed by supposed chains of infrastructure e.g. registrant email address or common IP address going back to incidents as far back as 2014, not necessarily well documented. As an outsider to these attribution arguments, this latter class of attribution seems to me to require lower confidence. If information is contradictory, then I don’t see how much confidence can be attached at all.